Review: Hardening Linux

Hardening Linux

Reviewed by Major Keary

McGraw-Hill's Hardening series is from their Hacking Exposed
stable and uses the same get-straight-down- to-business format.
Hardening
Linux
is a text for those with a professional-level interest in
Enterprise
Linux
security; it is concise, contains useful boxed asides that
offer advice and warnings, effectively uses screen shots to support the
text, and
provides references to URLs.


Linux has two streams that can be described as 'enterprise' and
'desktop'; servicing enterprise users is where the money is, but most
vendors observe the Open Source spirit and maintain distributions for
use on stand-alone desktop machines and small networks. In this
instance the focus is on Red Hat and Novell (SUSE)
enterprise users but, as the Foreword says, the book "takes a proactive
approach to securing the general Linux systems used today…". There is
mention of  Security-Enhanced Linux (SeLinux), an ongoing NSA
open source research project (the package can be downloaded from
http://www.nsa.gov/SeLinux/).

An assumption, as stated in the introduction, is that the user has
"purchased a commercially supported Linux server product from a
reputable company that does all the right things to help secure your
server … but … you are responsible for applying the security updates
your vendor provides …".

Hardening is not confined to normal security procedures. It involves
ensuring a Linux server is able to perform its allocated task
efficiently without being exposed to unnecessary risk, and that systems
are in place to prevent misuse or accidental breaches of enterprise
responsibility. It is a matter of balance; after all, the only truly
secure system is one that is always turned off. Apart from protection
from external attack, there need to be measures to prevent internal
attack, misuse, or accidental 'escape' of information.

The book approaches 'hardening' as a systematic process that
involves trade-offs between security issues and access to information
and resources. Each system has its own set of considerations that
require to be identified and assessed. For example, in any given
situation there will be services that are unnecessary and which should
be disabled; the book includes a table of services and what each one
does. In the same chapter it lists services that are available and
which may add to the hardening process if enabled. Another issue is
dependencies: sometimes a particular service requires other daemons to
be running—a table will help in identifying dependencies.

Firewalls, data storage, authentication process, communications,
network monitoring, logfile scanning, and patch-management and
monitoring are each discussed as well as budgetary considerations. An
important contribution to the Linux security literature.

John Terpstra et al.: Hardening Linux

ISBN 0-07-22497-1

Published by McGraw-Hill, 404 pp., RRP $69.95 incl. GST